youseries / ureport

UReport2 is a high-performance pure Java report engine based on Spring architecture, where complex Chinese-style statements and reports can be prepared by iterating over cells.
Apache License 2.0
2.05k stars 836 forks source link

Remote code execution vulnerability due to arbitrary file creation. #485

Open T3qui1a opened 4 years ago

T3qui1a commented 4 years ago

We find the stored part of this file by searching the key functions.

image

View calls in this section

image

Network truncation of parameter transfer in this part.

image

Try to modify to JSP webshell.

image

The error reported here is an error occurred during XML parsing, but the file has been written into the server.

image

Find this directory.

image

Of course, this directory can't access JSP. Try to cross directory with relative path.

image

image

Successfully cross directory and get webshell.

image

126wss commented 1 year ago

the key functions are in ureport2-core/src/main/java/com/bstek/ureport/provider/report/ReportProvider.java or ureport2-core/src/main/java/com/bstek/ureport/provider/report/classpath/ClasspathReportProvider.java or ureport2-core/src/main/java/com/bstek/ureport/provider/report/file/FileReportProvider.java ? we want to reproduce this vul as well